Cyberoam Best Practices

Cyberoam Best Practices

The Cyberoam Best Practices is a collection of guidelines to ensure the most secure and reliable
operation of Cyberoam units in a customer environment. It is updated periodically as new issues
are identified.

General Considerations
1. Always check output of the following commands from Cyberoam Telnet Console after making
changes in configuration and confirm:
• show network interface – to view the IP address details
• ip route list table 221 – to view the details of the gateway configured in Cyberoam
• route show – to view routing information
2. To monitor and diagnose network problems and to help minimize database bottlenecks quickly
and efficiently, check health of your application using diagnostic tool every 15 days. Access
diagnostic tool with username as ‘cyberoam’ and password as ‘cyber’ from http://<Cyberoam
WAN IP address>/dg.html
3. Always connect Cyberoam WAN interface and Router via hub or switch and not with cross
over cable to avoid
• auto negotiation problem between Cyberoam WAN interface and Router
• gateway ping problem
4. Create Clientless user or firewall rule to allow the Internet access for DNS IP address in case
of “Deny All” policy when desktops are configured for Internal DNS IP address to avoid:
• DNS resolution problem
• HTTP client page display problem
5. Make sure HTTP proxy port configured is same in both Cyberoam and desktop browser if
users have browser based proxy setting.
6. For security purposes, Gateway mode is preferred because all the internal or DMZ networks
can have secure private addresses. Gateway mode policies use network address translation
to hide the addresses from users in a less secure zone.
7. While creating Clientless user, assign only those IP addresses as the Login Node restriction
which belongs to Local zone. If these IP address does not belong the Local zone, then
clientless users will not be displayed in Live Users list.

Local ACL
1. Do not use Class A IP addresses for networks defined under Auth Network.
2. Do not allow access of proxy port of WAN interface.
3. You must add all the internal routed networks under Auth Network for authentication. Make
sure to do RMS (Restart Management Service) after adding or updating.
4. If LAN zone has routed networks like branch office network connected via Point-to-Point
connectivity or Layer3 switch then create static routes in Cyberoam to forward request for
routed networks on respective next hop.
5. From Local ACL, enable all the services which are running on Cyberoam to allow access from
LAN, WAN and DMZ.
6. You must add all the nodes from which the Clientless users will log on under Auth Network. If
these nodes are not added in Auth Network, clientless users will not be displayed in Live
Users list.

Firewall
1. Create Host, Host group (IP Address, range of IP Address or subnet), Service or Service
group to create Firewall rule for specific IP Address, Range IP Address, Service or Service
group.
2. Create Firewall rule for DNS IP Address if desktops are configured with public DNS IP address
and “Deny All” default policy.
3. Create firewall rule to allow required and critical traffic across each zone as except for LAN to
 Cyberoam Best Practices

WAN traffic, complete traffic across each zone will be dropped by Cyberoam. This will be
applicable in both bridge and gateway mode. For example: If Mail server is placed in the DMZ
zone then Cyberoam will not allow access of Mail server from LAN and WAN zone:
• To access specific applications running on mail server, create necessary firewall rule from
each zone.
• Create firewall rule to give external world access to the Mail server.
4. Create Firewall rule to allow applications running on DMZ as entire traffic from LAN to DMZ is
dropped.
5. If Cyberoam is configured in Bridge mode and DHCP server is running in WAN zone of
Cyberoam then create firewall rule to allow packets from DHCP server to LAN to lease IP
addresses on desktop.
6. If Alias IP address configured on Cyberoam WAN port, create SNAT and DNAT rule to map
Alias IP address with the private IP address. For example, MX IP is assigned as alias IP
address on WAN port of Cyberoam than create SNAT and DNAT rules to map private IP
address of mail server with the public IP address.
7. If Cyberoam is configured for multiple Internet service providers i.e. multiple gateways then:

• To improve the browsing speed and reduce the latency, create firewall rule to route the
DNS IP address request on a specific Gateway. Due to load balancing if DNS IP address
is from ISP1 and DNS request is going from ISP2 then latency will increase and time
taken to resolve the site name will also increase.
• If access to certain application like VPN application, SAP or ERP application is allowed
from specific IP address, create firewall rule to route the application request from the
specific IP address only.
• Create source based explicit routing for specific IP address. For example, Mail server is
placed in the Internal network and DNAT rule is created on Cyberoam. Now when mail
server is accessed from the external world, mail server request will go from any of the
configured gateways. In this situation, connection will not be established. To avoid this
situation, create source based routing to forward request originated by Mail server IP
address to a specific gateway. This will establish connection as well as reduce chances of
returnmxcheck problem.

Document Version – 1.0 – 06/02/2007